Hayabusa
Try it locally

v1.0.0 • local-first • homelab-ready

See suspicious
activity on your
machine in under
60 seconds.

A local-first security detection playground for developers and homelab users. Run it with Docker Compose, click one button, and watch Hayabusa detect suspicious login activity on your own machine.

Start locally See the flow Windows quickstart

Detection triggered: Failed login burst on a local machine

$ hayabusa --smoke-test

[OK] Vector ingest lane: Active

[OK] ClickHouse: Writing 6.42 MB/s

[SQL] SOURCE = security.events; WINDOW = 5m

{ "timestamp":"2026-04-09T05:42:18Z", "src_ip":"192.168.1.45", "user":"admin" }

{ "reason":"failed_password", "count":6, "burst_window":"2m" }

!!! ALERT: BRUTE_FORCE_DETECTED [source: 192.168.1.45]

Operational logic

One security workflow. Fully working. End-to-end.

Stable version: v1

Reliability: real

Latency: < 45s

Ingest (Vector)

Lightweight log shipping and transformation pipeline. Handles syslog and one Windows host lane with minimal CPU footprint.

Detect (Logins)

Rules evaluate failed-logon patterns every 30 seconds and write matches into security.alert_candidates.

Alert (Grafana)

Native Grafana webhook routing turns detections into a real payload the local alert sink can receive and log.

Five steps, one story.

01

Logs enter

Telemetry streams from syslog or Windows forward into Hayabusa.

02

Events store

Normalized events land in ClickHouse for rapid lookup.

03

Rules evaluate

Scheduled SQL checks identify suspicious login bursts.

04

Detection recorded

Matches are written to alert_candidates for alerting and review.

05

Webhook delivered

Grafana posts a real payload and alert-sink confirms delivery.

What Hayabusa detects today

Focused detection instead of platform sprawl.

Detects suspicious login bursts without burying you in platform sprawl

  • Correlates repeated failed SSH-style logins over short windows
  • Highlights burst behavior instead of isolated noisy failures
  • Supports one Windows auth lane for quick local validation
  • Flags suspicious authentication bursts in real time

Built for developers and homelabs that want signal fast, not platform overhead

  • Supports one real Windows host lane alongside Linux and syslog telemetry
  • Helps self-hosters validate a lean local detection stack
  • Helps developers see event-driven security detections happen live

Small enough to explain, real enough to demo.

A complete ingest → detect → alert pipeline using simple, composable components.

vector nats jetstream clickhouse detection engine grafana alert-sink

Live detection pipeline

Live detection pipeline

Real demo capture coming soon.

See a real login attack get detected on your machine.

Spin up Hayabusa and see your first alert fast.

Built for developers, self-hosters, and homelab users who want immediate local feedback without cloud dependencies or enterprise overhead.

Run locally Windows quickstart